Notes on insecure (HTTP) downloads

docz/docs/03-demos/27-local/01-file.md

@@ -282,6 +282,19 @@ client browser. Some APIs do not give any feedback.
 
 :::
 
+:::caution pass
+
+In insecure (HTTP) contexts, Google Chrome will block downloads by default. The
+following screenshot was taken in Chrome 126.0.6478.127:
+
+![Insecure download blocked](pathname:///files/dlblk.png)
+
+This is a browser limitation and no pure JavaScript library can work around the
+issue. See [Issue #3145](https://git.sheetjs.com/sheetjs/sheetjs/issues/3145) in
+the SheetJS bug tracker for more details.
+
+:::
+
 ### HTML5 Download Attribute
 
 _Writing Files_
@@ -436,6 +449,8 @@ drop_dom_element.addEventListener("dragenter", suppress, false);
 At the time of writing, browser support was fairly limited.  Chrome introduced
 the feature in version 86.  Safari did not support File System Access API.
 
+The File System Access API is only available in secure (HTTPS) contexts.[^4]
+
 :::
 
 :::caution pass
@@ -819,4 +834,5 @@ Desktop and mobile apps have their own specific APIs covered in separate demos:
 
 [^1]: See ["Input Type" in "Reading Files"](/docs/api/parse-options#input-type)
 [^2]: See ["Supported Output Formats" type in "Writing Files"](/docs/api/write-options#supported-output-formats)
-[^3]: See ["Buffers and TypedArrays"](https://nodejs.org/api/buffer.html#buffers-and-typedarrays) in the NodeJS documentation.
+[^3]: See ["Buffers and TypedArrays"](https://nodejs.org/api/buffer.html#buffers-and-typedarrays) in the NodeJS documentation.
+[^4]: See [issue 3145 in the SheetJS bug tracker](https://git.sheetjs.com/sheetjs/sheetjs/issues/3145#issuecomment-11074) for more details. Special thanks to `@sjoenH`!

docz/docs/09-miscellany/02-errors.md

@@ -474,3 +474,20 @@ to an `index.html` file, bypassing any third-party post-processing
 
 There are known bugs with the SWC minifier (used in Next.js 13+). The original
 minifier can be enabled by setting `swcMinify: false` in `next.config.js`.
+
+#### This file should be served over HTTPS
+
+`writeFile` uses platform APIs to download files. In browsers, `writeFile` uses
+the [`download` attribute](/docs/demos/local/file/#html5-download-attribute).
+
+Newer versions of Google Chrome and other browsers will block these downloads
+from "insecure contexts" (when served over HTTP rather than HTTPS). Users may be
+presented with the option to "keep" or "save" the file:
+
+![Download blocked](pathname:///files/dlblk.png)
+
+These limitations are enforced by the browser. It is strongly recommended to
+serve websites over HTTPS when possible.
+
+See [issue #3145](https://git.sheetjs.com/sheetjs/sheetjs/issues/3145) for a
+longer discussion.